| ▲ | WhyNotHugo 5 days ago |
| This is another example of why requiring TLS everywhere doesn't make sense. Onion traffic is already encrypted, but because software demands TLS everywhere, we add TLS on top, even when unnecessary. The same happens with 1:1 tunnels, or even localhost. None of these need TLS, and I should be able to tell my browser "enable all features on this site, consider it fully secure". |
|
| ▲ | keepamovin 5 days ago | parent | next [-] |
| TLS everywhere isn’t a sane default designed to coddle power users and security pros, but to protect your everyday netizen. You suffer because of your competency. For your arcane Wizardry you might want: —-unsafely-treat-insecure-origin-as-secure https://peter.sh/experiments/chromium-command-line-switches/... |
| |
| ▲ | tialaramex 5 days ago | parent [-] | | Like using the inherently unsafe language this only makes sense when you are the wizard and that's not always so perhaps better not. I think a lot of wizards have bad days. On Thursday morning, with a fresh cup of coffee and a gleam in their eye they can write a thousand lines of tricky x86-64 assembler and every single instruction is perfect like God wrote it. But on Friday evening, after getting only one hour's sleep because Theresa is teething and won't settle, and a screaming match with the CFO who says we have to re-use the old secretary's Dell for the new hire because "money is tight", the wizard just typo'd their own email address twice when filling out a form. On Monday when somebody else looks at it, it will be apparent that neither of the SSE instructions the wizard just wrote actually exists or has ever existed, which reminds us that the wizard might also have forgotten to check their new code even builds... | | |
|
|
| ▲ | nisegami 5 days ago | parent | prev [-] |
| Can't this be used to ensure you're communicating with who you think you are? Either in a TOFU (trust on first use) approach like SSH fingerprints are in practice, or with external verification like SSH fingerprints can be in theory. |
| |
| ▲ | dijit 5 days ago | parent [-] | | The .onion name can't exist without having the private key for it, that's kind of the point. There is already a private key needed to prove that who you're talking to is the right person: otherwise the request can't be routed to it. That's pretty fundamental to how Tor hidden services work actually. | | |
| ▲ | nisegami 5 days ago | parent [-] | | Ah, I see. I wasn't familiar with that aspect of it. In that case this seems pointless. |
|
|
